[
https://issues.apache.org/jira/browse/JSPWIKI-44?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12596894#action_12596894
]
Janne Jalkanen commented on JSPWIKI-44:
---------------------------------------
Hmm... I'm wondering whether AuthenticationManager.login() is the right place
to put this. Or should it go to Login.jsp?
What should be strategy be - put the last logins in a rolling list and when a
single account is attempted more than X times it starts slowing things down?
> Add an invalid attempt lockout/unlock mechanism
> -----------------------------------------------
>
> Key: JSPWIKI-44
> URL: https://issues.apache.org/jira/browse/JSPWIKI-44
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.4.104, 2.5.139-beta, 2.6.0
> Reporter: Janne Jalkanen
> Priority: Minor
> Fix For: 2.8
>
>
> It is currently possible to attempt to brute force passwords, since there's
> no lock mechanism for failed password attempts.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
